Our Viewpoints

Our Viewpoint

How Ignoring Mobile Device Security Increases Your Risk.

October 15, 2014

Enticed by the promise of increased performance and employee flexibility, financial institutions are rightfully beginning to allow employees to bring personally-owned devices into the workplace. Moving into the fully mobile workforce era, we see the trend continue to move into the hands of the consumer. While controlling the enterprise used to be a fairly simple endeavor, financial institutions are now faced with a never-ending onslaught of devices that are smaller, faster and more capable than even the computers sitting on the desktop. Without effective risk strategies, this poses a significant threat to any financial institution that allows Bring Your Own Devices (BYOD) into their environment.

Recent Forrester Research studies show that three out of four professionals use personal devices to access corporate data, with 53 percent of all employees bringing some sort of personally-owned device to work each day. Combine that with the statistics that show over 70 million mobile devices are lost or stolen each year, with about 46 percent of devices in the workplace being completely unmanaged, it is clear that we have a very large problem.

First, let’s fully understand the risks. Today’s typical smartphones are not just phones. They are cameras, voice recorders, scanners, calendars, clocks, navigation systems, gambling devices, portable movie theatres, bookstores, magazine racks, games, and computers. The major issue is that the company’s data is now being stored and transmitted using these devices that the employer does not control, which is sometimes in direct conflict with governmental regulations and recommendations that ask us to carefully protect the privacy and security of sensitive, personal and financial information.

New software, known as Mobile Device Management (MDM) can assist with these risks, and amidst this extreme mobile era, should be considered a mandatory first step if you allow personally-owned devices to have access to your corporate data or network. But equally important, a comprehensive review of policies and procedures is needed to ensure that not only are employees required to behave correctly in respect to protecting this data, but also to protect the company from employee litigation. Many financial institutions are finding gaps in policies and procedures regarding appropriate use of technology because the rules were based on the functionality of devices that existed when the policies and procedures were initially drafted. Policies and procedures should no longer be specific to just the hardware being used, but also should address the broad range of activities for which these devices can be used.

We have to keep in mind that not only do we have issues with keeping our corporate and clients’ data safe, but we also now have the added issue of these devices being used for both personal and work purposes. This opens financial institutions to risk not just from loss of company data, but also to litigation risk from employees who have expectations of privacy on a device that is owned by them. The U.S. courts have consistently held up employees’ rights when employers have attempted to gain access to an employee’s personal device. This has implications for record management regulations, privacy of employee data, overtime for employees using a dual-use device, and access to the employee’s device during litigation holds and investigations.

In order to adequately mitigate the risks associated with BYOD programs, we of course first need to implement strong technical controls using MDM software. This software generally covers device restrictions, encryption, strong passwords and the ability to locate the device and remotely wipe the data from it. But we also need to move beyond simple technical controls and develop a full Risk Management program around BYOD.

At a minimum, action items should include:

  • Implement MDM software with strong technical controls.
  • Develop employee agreements that cover not only the acceptable use of the device, but also reserve the right of the institution to access or wipe the device as needed.
  • Implement operating procedures that ensure all devices are indeed covered and are being used appropriately.
  • Develop and deliver mandatory employee training to teach employees how they should handle the loss or theft of the device. and covers the aforementioned policies.
  • Develop a risk management approach to mobile device security.

Policies that will likely need to be modified to successfully mitigate risk are:

  • Employee Agreements
  • Acceptable Use Policies
  • Compliance and Ethics Policies
  • Data Privacy and Security Policies
  • Records Management Policies
  • Litigation Hold Policies
  • Confidentiality Policies

D+H provides several tools to assist in creating a solid Mobile Device Management program. In addition to software tools such as Compushare C3Compushare Mobile Device Management and Compushare Risk Director, our Risk and Compliance team can assist with the customization of policies and the creation of an effective risk management program.

Entering into the Bring Your Own Device era can be dangerous territory, but with a strong risk management approach and appropriate technical tools, it is possible to achieve the promise of increased employee productivity while mitigating the risks associated with mobile devices.

Author

Karn Griffen
Chief Technologist, Compushare solutions

Karn Griffen leads the architecture team for the Compushare suite of products at D+H. Under Griffen’s leadership, his team provides design and development expertise for the cloud and managed services product lines. Over the past 18 years with the company, Karn has held several roles including vice president of client services, director of risk and compliance, as well as director of organizational development.